Opinion: Standards bodies basically whiffed on the matter, but private industry seems to have taken the ball and is running fast.
Just when Im done dismissing the potential for e-mail authentication to become an effective standard, evidence is presented to the contrary.
The E-mail Authentication Summit on April 19 wasnt even the highest-profile event at the hotel where it took place (Secretary of State Condoleezza Rice spoke to the Chicago Council on Foreign Relations
there the same day). The 2005 Summit got a lot more ink.
But according to the Email Sender and Provider Coalition
(I think this used to be the Email Service Provider Coalition
), adoption has been moving along at an aggressive pace.
Much more of the total body of Internet E-mail comes from organizations supporting one of the two main authentication standards than you might think. Support by large senders is why.
Dont get me wrong, I really want to believe this, but Im suspicious. My guess right now is that their basic point is right, but that its not as far along as they want their numbers to imply.
The basic point is that adoption of SIDF (Sender ID Framework) and DKIM (DomainKeys Identified Mail) has moved along aggressively in the last year among large players, to the point where everyone else has to start dealing with it.
Theyre trying to portray an image of momentum that e-mail players have to start moving along with authentication because theyll be left behind if they dont.
Consider this claim: "AOL, Microsoft and Yahoo, whose combined e-mail accounts receive over 50 percent of the commercial e-mail in the country, support at least one of the current authentication standards."
Many other large senders of e-mail, the ones with the biggest interest in authentication succeeding (Citibank for example), are adopting it. DKIM support in all Internet mail is up from nothing to 9 percent inside of a year, and SIDF is up to 35 percent.
But adoption is a complex task. A cursory look at the SIDF and DKIM standards would give you the impression that its just a matter of making some DNS changes and maybe upgrading your mail servers to support some new tools, but for a large organization it can be quite complex.
You have to have clear control over all the outbound mail sources for your organization, including those belonging to outside service providers.
You have to establish procedures that must be followed whenever DNS or mail server changes are made.
As a result, many of the organizations that are said to be in compliance are only partly so.
For example, they may not have all their subsidiary organizations in compliance, they may not have worked out all the details with outside service providers (although the legitimate ones are enthusiastic supporters of authentication).
The inbound/outbound issue.